What do you need to know to start your journey in web pentesting???
Prepared material – t.me/fuckwebsec
Express gratitude – @fkshelL
Prepared for the community – t.me/nftgkit
Subscribe to our channels
——————————
– Learning the basics of web technologies
MSDN – articles on web basics and more (ru)
⚒ Quite a lot of free information and labs that will give a general understanding of HTML academy (ru)
I recommend taking the free blocks from the “Getting to Know the Frontend” course.
——————————
– Learning web security
Methodologies , useful articles and a lot of theory on hacking on Hacktricks (en)
⚒ Portswigger academy – a resource with articles and practical tasks, after completing which you can receive a certificate (en)
⚒ TryHackMe – the portal also contains articles and laboratory tasks not only for learning web pentesting, but also SOC, as well as Red Team (en)
⚒ Vulnerable applications ⚒ are aimed at practicing finding and exploiting the most common web vulnerabilities of various levels of complexity
⚒ Owasp Juice Shop is a classic with which pentesters begin their journey. Deployment instructions are described in the README.md file in the setup section
⚒ Damn Vulnerable Web Application. You can find quite a lot of applications with a similar signature in the name. Damn Vulnerable Web Application is one of the options on which you can practice
A game developed by Google to study such attacks as XSS
What to watch if you perceive information best visually?
General security course from Yandex Academy (ru)
——————————
– Learning programming languages
>Python
⚒ Free IDE including interactive tasks
Fluent Python – book by O’Relly (en)
Python basics course from Yandex Academy (ru)
A bonus for those who have already mastered the basics and want to try a web development framework. a small tutorial book with a funny title Django for girls (ru)
>JavaScript
JavaScript.ru – a book that helps in learning JS (ru)
>Bash
⚒ Knowledge of Linux and the ability to work with the command shell will undoubtedly be useful when working as a pentester. W3schools – a resource that will help in learning (en)
Version control systems
The need to use a version control system will be highlighted in various programming courses. Git-Book is a resource where you can find as much information as possible about git and how to use it
Yesterday we promised to write a post about a possible hacking of JetBrains and now we are writing it.
On January 6 , the New York Times published an article in which, in their characteristic manner, they described that (according to sources, of course) American intelligence agencies and information security researchers are studying the possibility of hackers using the previously compromised Czech company JetBrains in the course of further penetration into the SolarWinds network.
It’s not for nothing that we compared such a hack to a “supply chain attack squared” – JetBrains is a developer of software development tools. In particular, Team City , which was mentioned by the NYT , is a continuous integration tool that has been in production since 2006 and is used by thousands of developers around the world. Team City is especially popular among Android application developers.
In the event of a successful attack on the internal infrastructure of JetBrains, hackers have the opportunity to compromise most of the developers using their tools, and then hack their clients. The potential consequences are catastrophic.
But since NYT journalists do not change their habits, they presented the material in an extremely pretentious manner and without any decent texture. For which they were immediately ostracized by the information security community – they were pointed out to the lack of evidence, the vagueness of the wording, and even “groundless distortions.”
JetBrains themselves, represented by CEO Maxim Shafirov, promptly gave several comments in which they denied any appeals to them in connection with the compromise of Team City .
The community’s infatuation with infosec is understandable. Team City and other JetBrains tools are used by developers everywhere and their possible compromise by hackers would look as if the Belarusian partisans had deployed their operational base in the courtyard of the personal headquarters of the Reichsführer SS, planted potatoes and periodically lured away the SS men (naturally, this allegory is given by us without regard to comparisons of bad -good).
However, not all so simple. Materials about the FBI’s investigation into the possible compromise of JetBrains were provided not only by NYT journalists, but also by other reputable American publications. For example, Reuters , which, by the way, was the first to write about the SolarWinds hack.
Therefore, it is quite possible that this was a deliberate leak of information on the part of American investigators in a case where they cannot make an official statement for one reason or another. And if the compromise of JetBrains was really carried out by hackers, then this could easily qualify for the “hack of the decade” label.
